From: Thomas Monjalon <thomas@monjalon.net>
To: Ferruh Yigit <ferruh.yigit@intel.com>
Cc: Andrew Rybchenko <arybchenko@solarflare.com>,
dev@dpdk.org, Bruce Richardson <bruce.richardson@intel.com>,
david.marchand@redhat.com
Subject: Re: [dpdk-dev] [dpdk-stable] [PATCH] mk: remove library search path from binary
Date: Thu, 21 Nov 2019 22:17:03 +0100 [thread overview]
Message-ID: <3174926.22sA95HNGQ@xps> (raw)
In-Reply-To: <5b9ae095-6926-b67a-6368-29db57782213@intel.com>
21/11/2019 18:12, Ferruh Yigit:
> On 11/18/2019 3:14 PM, Thomas Monjalon wrote:
> > 12/11/2019 14:15, Ferruh Yigit:
> >> This patch functionally reverts the patch in fixes line to not have any
> >> hardcoded library path in the final binary for the security reasons, in
> >> case this binary distributed to production environment.
> >
> > What about meson?
> > There are these rpaths:
> > $ORIGIN/../lib
> > $ORIGIN/../drivers
> >
> >
> >> RPATH only added in RTE_DEVEL_BUILD case and this binary shouldn't
> >> distributed, but still removing it to be cautious.
> >
> > For convenience, we could keep adding rpath for internal apps.
>
> This was the main intention, but the concern is someone unaware of this
> capability and distributes a binary that we think it will be internal.
Internal apps are only for developers.
I don't see how there could be a security issue.
> >> --- a/devtools/test-null.sh
> >> +++ b/devtools/test-null.sh
> >
> >> if ldd $testpmd | grep -q librte_ ; then
> >> + export LD_LIBRARY_PATH=$build/lib:$LD_LIBRARY_PATH
> >> libs='-d librte_mempool_ring.so -d librte_pmd_null.so'
> >
> >
> > There is an issue in this change, because $build may be undefined.
> > It can be fixed with adding this line:
> >
> > +[ -f "$testpmd" ] && build=$(dirname $(dirname $testpmd))
> > [ -f "$testpmd" ] || testpmd=$build/app/dpdk-testpmd
> > [ -f "$testpmd" ] || testpmd=$build/app/testpmd
>
> 'build' is already defined as following at the beginning of the script
> build=${1:-build}
Yes, but $1 can be the testpmd path as well, so $build is meaningless.
> And if 'build' is wrong/missing, script can't reach to this line at all, because
> 'testpmd' path found based on 'build' and if 'testpmd' not found, script will exit.
No, $testpmd can be defined from $1, not based on $build.
You missed this comment:
build=${1:-build} # first argument can be the build directory
testpmd=$1 # or first argument can be the testpmd path
> Can you please give more detail what is problem with 'build'?
If the testpmd path is directly passed as first parameter,
build directory is not known.
That's why I suggest getting it with $(dirname $(dirname $testpmd)).
next prev parent reply other threads:[~2019-11-21 21:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-12 13:15 [dpdk-dev] " Ferruh Yigit
2019-11-18 15:14 ` [dpdk-dev] [dpdk-stable] " Thomas Monjalon
2019-11-18 15:30 ` Bruce Richardson
2019-11-18 15:34 ` Bruce Richardson
2019-11-21 17:12 ` Ferruh Yigit
2019-11-21 21:17 ` Thomas Monjalon [this message]
2019-11-22 11:30 ` [dpdk-dev] [PATCH v2] " Ferruh Yigit
2019-11-25 22:11 ` Thomas Monjalon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3174926.22sA95HNGQ@xps \
--to=thomas@monjalon.net \
--cc=arybchenko@solarflare.com \
--cc=bruce.richardson@intel.com \
--cc=david.marchand@redhat.com \
--cc=dev@dpdk.org \
--cc=ferruh.yigit@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).